Traditionally, understanding application risk as a result of performing multiple tests using different categories of tools, such as Static Application Security Testing (SAST) tools, Dynamic Application Security Testing (DAST) tools, and Interactive Software Security Testing (IAST) tools, is quite challenging as these tools provide different metrics. These metrics are static and do not account for risks associated with stale findings. For instance, these metrics do not account for the advent of newly identified vulnerabilities or improved scanning techniques after scan has completed. Some existing technology evaluates risk within a given category of tools, without considering other categories of tools. Some existing technology does not account for adjustments of risk scores post scanning due to time-based, or other factors.
In view of the foregoing, a need exists for a scoring solution that computes software risks by considering tests performed by multiple categories of software security testing tools, and provides a normalized score scale despite metric differences among different categories of tools. Further, there is a need to adjust scores over time to account for additional risks that may occur after scan has completed.